Build WAF with Reverse Proxy Load Balancer using Nginx

Rumi,

Getting Started

First, it is recommended to update and upgrade all your software packages to the latest version. You can update all of them by running the following command:

apt update -y
apt upgrade -y

Once all the packages are updated, install other required packages with the following command:

apt install g++ flex bison curl apache2-dev doxygen libyajl-dev ssdeep liblua5.2-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev git liblmdb-dev libpkgconf3 lmdb-doc pkgconf zlib1g-dev libssl-dev -y

Once you are done, you can proceed to the next step.

Install ModSecurity on Ubuntu 22.04

By default, the ModSecurity package is not included in the Ubuntu default repository. So you will need to compile it from the source.

First, download the latest version of ModSecurity with the following command:

wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.8/modsecurity-v3.0.8.tar.gz

Once the download is completed, extract the downloaded file with the following command:

tar -xvzf modsecurity-v3.0.8.tar.gz

Next, navigate to the extracted directory and configure it with the following command:

cd modsecurity-v3.0.8
./build.sh
./configure

Next, install it with the following command:

make
make install

Install Nginx with ModSecurity 3 Support

Next, you will need to install the Nginx with ModSecurity support. First, download the ModSecurity-nginx connector with the following command:

cd ~
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

Next, download the Nginx source using the following command:

wget https://nginx.org/download/nginx-1.20.2.tar.gz

Next, extract the Nginx source with the following command:

tar xzf nginx-1.20.2.tar.gz

Next, create a user for Nginx with the following command:

useradd -r -M -s /sbin/nologin -d /usr/local/nginx nginx

Next, change the directory to the Nginx source and configure it with the following command:

cd nginx-1.20.2
./configure --user=nginx --group=nginx --with-pcre-jit --with-debug --with-compat --with-http_ssl_module --with-http_realip_module --add-dynamic-module=/root/ModSecurity-nginx --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log

Next, install it with the following command:

make
make modules
make install

Next, create a symbolic link of Nginx with the following command:

ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/

Next, verify the Nginx version using the following command:

nginx -V

You will get the Nginx version in the following output:

nginx version: nginx/1.20.2
built by gcc 11.2.0 (Ubuntu 11.2.0-19ubuntu1) 
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --with-pcre-jit --with-debug --with-compat --with-http_ssl_module --with-http_realip_module --add-dynamic-module=/root/ModSecurity-nginx --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log

Once you are done, you can proceed to configure Nginx with ModSecurity.

Configure Nginx with ModSecurity

Next, copy the sample configuration files with the following command:

cp ~/modsecurity-v3.0.8/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
cp ~/modsecurity-v3.0.8/unicode.mapping /usr/local/nginx/conf/

Next, backup the Nginx configuration file:

cp /usr/local/nginx/conf/nginx.conf{,.bak}

Next, edit the Nginx configuration file:

nano /usr/local/nginx/conf/nginx.conf

Remove default lines and add the following lines:

load_module modules/ngx_http_modsecurity_module.so;
user nginx;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name _;
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;
access_log /var/log/nginx/access_example.log;
error_log /var/log/nginx/error_example.log;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
#}
##########
upstream mybackend {
server 192.168.100.10;
server 192.168.100.11;
server 192.168.100.12;
}

server {
listen 80;
listen 443 ssl;
server_name *.com;
# ssl on;
ssl_certificate /user/share/cert/cert.pem;
ssl_certificate_key /user/share/cert/private.key;
ssl_session_cache shared:SSL:120m;
ssl_session_timeout 60m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

add_header Strict-Transport-Security "max-age=31536000";

location / {
proxy_pass http://mybackend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
}
}
}

Save and close the file, then enable the ModSecurity with the following command:Advertisement

sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /usr/local/nginx/conf/modsecurity.conf

Once you are done, you can proceed to the next step.

Install ModSecurity Core Rule Set

The OWASP ModSecurity Core Rule Set provides a set of rules to detect and protect a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.

First, download the OWASP rule set with the following command:

cd
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/local/nginx/conf/owasp-crs

Next, rename crs-setup.conf.example to crs-setup.conf file:

cp /usr/local/nginx/conf/owasp-crs/crs-setup.conf{.example,}

Next, define the rules with the following command:

echo -e "Include owasp-crs/crs-setup.conf
Include owasp-crs/rules/*.conf" >> /usr/local/nginx/conf/modsecurity.conf

Next, verify the Nginx for any configuration error with the following command:

nginx -t

If everything is fine, you will get the following output:

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

Once you are done, you can proceed to the next step.

Create a Systemd Service File for Nginx

Next, you will need to create a systemd service file to manage the Nginx service. So that you can start and stop the Nginx service via systems. You can create it with the following command:

nano /etc/systemd/system/nginx.service

Add the following lines:

[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/local/nginx/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/local/nginx/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed

[Install]
WantedBy=multi-user.target

Save and close the file, then reload the systemd daemon to apply the changes:

systemctl daemon-reload

Next, start and enable the Nginx with the following command:

systemctl start nginx
systemctl enable nginx

You can check the Nginx status using the following command:

systemctl status nginx

You should see the following output:

? nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/etc/systemd/system/nginx.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2022-10-11 15:40:39 UTC; 6s ago
Docs: man:nginx(8)
Process: 68438 ExecStartPre=/usr/local/nginx/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 68439 ExecStart=/usr/local/nginx/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 68440 (nginx)
Tasks: 2 (limit: 4579)
Memory: 20.0M
CPU: 293ms
CGroup: /system.slice/nginx.service
??68440 "nginx: master process /usr/local/nginx/sbin/nginx -g daemon on; master_process on;"
??68441 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" >
Oct 11 15:40:38 ubuntu2204 systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 11 15:40:39 ubuntu2204 systemd[1]: Started A high performance web server and a reverse proxy server.

Once you are finished, you can proceed to the next step.

Verify ModSecurity

After installing and configuring Modsecurity with Nginx. It’s time to test it. Run the following command to test the Modsecurity against command injection:

curl localhost?doc=/bin/ls

If everything is fine, you will get the “403 Forbidden” massage.

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.2</center>
</body>
</html>

You can also check the Modesecurity log using the following command:

tail /var/log/modsec_audit.log

You should see the ModSecurity log in the following output:

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `/bin/ls' ) [file "/usr/local/nginx/conf/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "496"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/ls found within ARGS:doc: /bin/ls"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/"] [unique_id "166550286018.572845"] [ref "o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/nginx/conf/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "127.0.0.1"] [uri "/"] [unique_id "166550286018.572845"] [ref ""]

—IcTYGSZl—I–

—IcTYGSZl—J–

—IcTYGSZl—Z–

Src: https://www.howtoforge.com/install-modsecurity-3-with-nginx-on-ubuntu-22-04/?fbclid=IwAR2Lb66JKBv0-7RSySTQ6vG6qooNsU4_UaEy_6bsXuSjgJi4AAUw5MkcLq8

Administrations Application Configurations (Linux)

Leave a Reply

Your email address will not be published. Required fields are marked *